The 2005 Sony CD copy protection controversy is a public controversy relating to copy protection software known as Extended Copy Protection (XCP), created by First 4 Internet and used by the media company Sony BMG Music Entertainment (henceforth “Sony”, though that more accurately refers to the corporate parent of one of the partners in Sony BMG) on audio CDs.

On October 31, 2005, Mark Russinovich posted to his blog a detailed description and technical analysis of the characteristics of the software contained on Sony music CDs. Called Sony, Rootkits and Digital Rights Management Gone Too Far, the article asserts vocally that the software is illegitimate and that digital rights management had “gone too far”. He stated that there were shortcomings in the software design that manifest themselves as security holes that can be exploited by malicious software such as worms or viruses. Several comments to the entry recommended a lawsuit against Sony.

Press reports

In a November 7, 2005 article, vnunet.com summarised Russinovich’s finding in a less technically detailed way, and urged consumers to avoid buying Sony music CDs for the time being. The following day, The Boston Globe (boston.com) classified the software as spyware and confirmed that it communicates personal information from consumers’ computers to Sony. The methods used by the software to avoid detection were likened to those used by data thieves.

After the first virus which made use of Sony’s stealth technology to make their malicious files invisible to both the user and anti-virus programs surfaced on November 10, 2005, Yahoo! News announced on November 11, 2005 that Sony has suspended further distribution of the controversial technology.

Microsoft identifies software as spyware

According to BBC News on November 14, 2005, Microsoft has decided to classify Sony’s software as “spyware” and provide tools for its removal. In both this and the previous Yahoo! News announcement, Mark Russinovich is quoted as saying, “This is a step they should have taken immediately.”

Sony’s rootkit removal program

Sony released a software utility to remove the rootkit component of Extended Copy Protection from affected Microsoft Windows computers, but this removal utility was soon revealed as only exacerbating the privacy and security concerns. In fact, the Sony program merely unmasked the hidden files installed by the rootkit, but did not actually remove the rootkit. In addition, this program was reported to install additional software that cannot be uninstalled. In order to download the uninstaller, it is necessary to provide an e-mail address, and to install an ActiveX control containing backdoor methods (marked as “safe for scripting”, and thus prone to exploits).

On November 18, 2005, Sony BMG provided a “new and improved” removal tool to remove the rootkit component of Extended Copy Protection from affected Microsoft Windows computers.

Opponents of Sony’s actions, especially Slashdot and Digg users, later accused Sony of violating the privacy of its customers to create a backdoor onto their machine using code that even violates an Open Source license. They claimed that this DRM program, designed to give Sony control over the customer’s machine in the name of copyright protection, is itself infringing copyright by including code from the LAME MP3 library. It appears that, since LAME is under the LGPL, this situation could be rectified by SONY offering a copy of the LAME source code, as well as adding a notice that it was using code from the library (though this would not be a defense against past damages); additionally it appears that the LAME code was added only to permit detection of attempts to rip the CD using LAME (not to actually implement LAME or call functions from it).

Product recall

On November 15, 2005, vnunet.com announced that Sony is backing out its copy-protection software, recalling unsold CDs from all stores, and offering consumers to exchange their CDs with versions lacking the software. The Electronic Frontier Foundation compiled a partial list of CDs with XCP. Sony is quoted as maintaining that “there were no security risks associated with the anti-piracy technology”, despite numerous virus and malware reports. On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. They said that XCP uses rootkit technology to hide certain files from the computer user, and that this technique is a security threat to computer users. They also said one of the uninstallation options provided by Sony introduces further vulnerabilities to a system. US-CERT advised, “Do not install software from sources that you do not expect to contain software, such as an audio CD.”

Sony announced that it has instructed retailers to remove any unsold music discs containing the software from their shelves. [15] It is estimated by internet expert Dan Kaminsky that XCP is in use on more than 500,000 networks.

CDs with XCP technology can be identified by the letters “XCP” printed on the back cover of the jewel case for the CD.

On November 18, 2005, Reuters reported that music publisher Sony BMG would swap affected unsecure CDs for new unprotected disks as well as unprotected MP3 files.

Information about the swap can be found at the Sony BMG swap program website. As a part of the swap program, consumers can mail their XCP-protected CDs to Sony BMG and would be sent an unprotected disc via return mail.

On November 29, 2005 the New York Attorney General Eliot Spitzer found through his investigators that despite the recall of November 15 Sony CDs with XCP were still for sale in New York City music retail outlets. Spitzer said “It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year,” “I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony.” On November 30, 2005 Massachusetts Attorney General Tom Reilly issued a statement saying that Sony CDs with XCP were still availible in Boston despite the Sony recall of November 15. Attorney General Reilly advised consumers not to purchase the Sony CDs with XCP and said that he was conducting an investigation of Sony BMG.

Legal situation

Class action suits have been filed against Sony in New York and California. On November 21, 2005 The Texas Attorney General, Greg Abbott sued Sony BMG. Texas is the first state in the nation to bring legal action against SONY for illegal “spyware.” The suit is also the first filed under the state’s spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems. Threats of legal action in Italy have also been reported. On November 21, EFF announced that they were also pursuing a lawsuit over both XCP and the SunnComm MediaMax DRM technology. On December 6, 2005 Sony-BMG said that 5.7 million of its CDs were shipped with SunnComm MediaMax that requires a new software patch to prevent a potential security breach in consumers computers. The security vulnerability was discovered by EFF and brought to the attention of Sony-BMG. The MediaMax Version 5 software was loaded on 27 Sony BMG titles. All these suits are regarding security threats and other damage to customer computers, not copyright issues in the code. The EFF lawsuit also involves issues concerning the Sony end user license agreement.

A Slashdot story noted that the rootkit includes code and comments (such as “copyright (c) Apple Computer, Inc. All Rights Reserved.”) illegally copied from the program VLC by Jon Lech Johansen and Sam Hocevar, the former best known for being prosecuted in connection with DeCSS (which circumvents the digital rights management mechanism used on movie DVDs).

Another exploit

According to ZDNet News: “The latest risk is from an uninstaller program distributed by SunnComm Technologies, a company that provides copy protection on other Sony BMG releases.” The uninstall program obeys commands sent to it allowing others “to take control of PCs where the uninstaller has been used.”

Larger issues

Many larger issues are raised by the intrusion of Sony’s software into user’s computer systems:

Antivirus computer programs. Why did they not detect the Sony software and remove it? (See [32].) Does the source of the malware, a well known corporation rather than a computer pirate, justify the inaction by antivirus vendors, who are paid to maintain the security of computers? Why did the problem go unnoticed for so long?

Computer privacy laws. Can they be read in a way leaving Sony criminally or civilly liable for events that, if initiated by a hacker, would be equally actionable?

DRM systems in general. What is their legality, and how can one protect oneself against them?